Uncontrolled search path element
Description
The `LoadLibrary` function is used to load DLLs dynamically. Depending on the filepath parameter, the OS version, and the modes set for the process prior to calling LoadLibrary, DLL hijacking may be possible. Attackers can exploit this by placing DLL files with the same name in directories that are searched before the legitimate DLL is.
Examples
Insecure Code
c
LoadLibrary("library.dll");Secure Code
c
LoadLibraryEx("C:\\\\path\\\\library.dll", NULL, LOAD_LIBRARY_SEARCH_DEFAULT_DIRS);Remediation
Specify a fully qualified path when using LoadLibraryEx, use the `LOAD_LIBRARY_SEARCH` flags with LoadLibraryEx or with SetDefaultDllDirectories, and modify the list of directories using AddDllDirectory or SetDllDirectory functions.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0596 |
| Category | InsecureConfig |
| Severity | HIGH |
| CWE | CWE-427 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | EASY |
| Tags | DLL hijacking, LoadLibrary |
| OWASP | A1:2017-Injection, A03:2021-Injection |